Creating value with risk appetite & risk tolerance statements.

• Author: Fox, Carol
• Position: Enterprise Risk Management

It's no surprise that with the current state of the global economy, the surge of natural disasters that have wreaked havoc on countries around the world and the inordinate amount of critical and confidential electronic data that is left vulnerable to cyber predators that sound enterprise risk management (ERM) programs are not just necessary but, in many cases, are already being revamped and strengthened.

At its most basic, ERM is a strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. ERM represents a significant evolution beyond previous risk-specific approaches to risk management.

The discipline encompasses all areas of organizational exposure to risk - whether financial, operational, reporting, compliance, governance, strategic or reputational - and embeds risk management as a component in all critical decisions throughout the organization.

The concept of enterprise risk management is nothing new. Those in the field have been discussing it for years. But the explicit adoption of ERM within organizations has, up until recently, lagged.

Today, however, there seems to be a renewed interest in ERM. According to the 2011 RIMS Benchmark Survey of risk managers, 80 percent of organizations either have or are in the process of developing an ERM program. Seventeen percent of the respondents stated that their programs are fully integrated and address risk across the organization.

Perhaps more importantly, RIMS and Marsh's Excellence in Risk Management IX report cites that the top two responsibilities senior management assign to their risk management department are 1) increased involvement in the organization's overall business strategic planning efforts and 2) leading enterprise risk management activities.

Certainly some of this has been driven by regulators, but simple compliance with an ERM mandate will only go so far. Many risk managers realize that risks now threatening their organizations are far too complex to be sufficiently managed by traditional methods alone.

Organizations are also seeing a similar phenomenon internally as risks that affect one part of the organization frequently affect another, making it difficult for the company to reach its strategic goals. For many risk managers, it is this connection to strategy that has provided the final push to help their ERM...